> I think there are lots of problems with this, not least the object churn
> and wasted event notification.
> Should a session cookie be set?
>
> What if generated HTML contains a href with the session ID encoded in the
> URL and that causes the client to send a request before the generated HTML
> is fully generated (and thus the request is not finished). Will that
> request see the same session? if not why not? If it does, when does the
> session get invalidated? If it is a long polling application, there may
> never be a time when there is no request in the container and the session
> may live for a long time.
>
> HttpSession semantics are ropey enough without introducing such difficult
> racy transient invalidation.
Agreed. This looks initially like a decent idea, but it would likely be horrible in practice.
Rémy